[dns-operations] dropping fragmented requests

Doug Porter dsp at dsp.name
Fri Apr 8 22:29:34 UTC 2016


I think fragmented queries to Route53 already don't work.  Maybe you
recently blocked it?  Maybe frags are ending up on different anycast
servers due to the 5-tuple ecmp hash?  The latter is the reason it
doesn't work in my environment.  We've not observed any problems after
years of running this way.


0 # dig @205.251.199.224
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.com. a
+short
0 # ip route add 205.251.199.224/32 via 158.85.191.65 mtu 68
0 # dig @205.251.199.224
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.com. a
+short

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.2 <<>>
@205.251.199.224
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.com. a
+short
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
9 #


The above test was done on an EC2 machine.  I also tested against a
different server I operate where frags do work to confirm the test
setup was valid.

-- 
dsp



More information about the dns-operations mailing list